Using computing power from a cluster of 200 PS3 game consoles and about $700 in test digital certificates, a group of hackers in the U.S. and Europe have found a way to target a known weakness in the MD5 algorithm to create a rogue Certification Authority (CA), a breakthrough that allows the forging of certificates that are fully trusted by all modern Web browsers.

The research, which will be presented today by Alex Sotirov (top left) and Jacob Appelbaum (bottom left) at the 25C3 conference in Germany, effectively defeats the way modern Web browsers trust secure Web sites and provides a way for attackers to conduct phishing attacks that are virtually undetectable. Jacob Appelbaum

The research is significant because there are at least six CAs currently using the weak MD5 cryptographic algorithm in digital signatures and certificates. The most commonly used Web browsers — including Microsoft’s Internet Explorer and Mozilla’s Firefox — whitelist these CAs, meaning that a fake Certificate Authority can display any site as secure (with the SSL padlock).

“We basically broke SSL,” Sotirov said in an interview ahead of his 25C3 presentation.

Our main result is that we are in possession of a “rogue” Certification Authority (CA) certificate. This certificate will be accepted as valid and trusted by many browsers, as it appears to be based on one of the “root CA certificates” present in the so called “trust list” of the browser. In turn, web site certificates issued by us and based on our rogue CA certificate will be validated and trusted as well. Browsers will display these web sites as “secure”, using common security indicators such as a closed padlock in the browser’s window frame, the web address starting with “https://” instead of “http://”, and displaying reassuring phrases such as “This certificate is OK ” when the user clicks on security related menu items, buttons or links.

Researchers at the Centrum Wiskunde & Informatica (CWI) in the Netherlands, EPFL in Switzerland, and Eindhoven University of Technology (TU/e) in the Netherlands helped in the design and implementation of the attack using an advanced implementation of a known MD5 collision construction and a cluster of more than 200 PlayStation 3 game consoles.

According to Sotirov, a rogue CA in combination with Dan Kaminsky’s DNS attack can have serious consequences:

For example, without being aware of it, users could be redirected to malicious sites that appear exactly the same as the trusted banking or e-commerce websites they believe to be visiting. The web browser could then receive a forged certificate that will be erroneously trusted, and users’ passwords and other private data can fall in the wrong hands. Besides secure websites and email servers, the weakness also affects other commonly used software.

Sotirov said the team was able to secure NDAs in advance of briefing the major browser vendors about the problem but because of issues — some practical and some political — there are no straightforward fixes unless the CAs stop using MD5 and move to the more secure SHA-1 algorithm.

To avoid abuse, the team back-dated its rogue CA (it was set only for August 2004) and will not release the private key. “We’re also not going to release the special code that we used to do the MD5 collisions until later this year,” Sotirov added.

“We don’t anticipate this attack to be repeatable very easily. If you do a naive implementation, you would need six months to run it successfully,” he added.

Arjen Lenstra, head of EPFL’s Laboratory for Cryptologic Algorithms, the key objective of the research was to stimulate better Internet security with adequate protocols that provide the necessary security.

The key takeaway, according to Lenstra: “It’s imperative that browsers and CAs stop using MD5, and migrate to more robust alternatives such as SHA-2 and the upcoming SHA-3 standard.”

Using computing power from a cluster of 200 PS3 game consoles and about $700 in test digital certificates, a group of hackers in the U.S. and Europe have found a way to target a known weakness in the MD5 algorithm to create a rogue Certification Authority (CA), a breakthrough that allows the forging of certificates that are fully trusted by all modern Web browsers.

March 9, 2008: The U.S. Air Force is buying 300 PlayStation 3 game consoles. Not to play games, but because it's the cheapest way to get the powerful processors that create the photorealistic graphics for PlayStation games. Air force researchers want to use these processors (similar to the ones found in high end video cards) to build faster computers for military use. The CPU manufacturer was not willing to sell the PlayStation processor separately, at least for a reasonable price. So it was easier to just buy PlayStation 3s.

This use of video game electronics, for other purposes, is nothing new. Military researchers began doing this sort of thing in the late 1990s with graphic processors. This led to the introduction last year of modified graphic cards, which produce supercomputer type results, but at a very low cost. These were basically Nvidia 8800 graphic cards tweaked to just crunch numbers (one card equals half a teraflop of computing power). Each of these PCI cards costs about $1,500. For under $20,000 you have yourself a four teraflop supercomputer, and it looks like just another PC. By building this kind of computing power into weapons systems (like sonars and radars), you can improve their performance (speed and accuracy) enormously. This kind of computing power also makes UAVs and other robotic systems much smarter, even when they are under the control of a human operator.

"Logic is an enemy and truth is a menace." ~ Rod Serling"Cops today are nothing but an armed tax collector" ~ Frank Serpico"To be normal, to drink Coca-Cola and eat Kentucky Fried Chicken is to be in a conspiracy against yourself.""People that don't want to make waves sit in stagnant waters."

nofakenews

This isn't as bad as it sounds. Not only do you need a lot of expensive hardware to pull off the attack, but the user still needs to go to a phishing website for this attack to be utilized.

I'd guess that the NSA has been able to do this well before now. By the time Joe Schmo would be able to do this most servers would be using better encryption techniques.

Yeah I agree this is a md5 hashing algorithm and not encryption so this is theoretical in nature but as long as you are smart enough to use encryption you should be ok. I think this post is important as I look for more attacks to take control of our internet and just today I was listening to glen beck on the radio and he was talking about they don't like people doing all this talking online.

From the article it sounds like the encryption has not been hacked. Rather hackers have found a way to steal the keys used to decrypt the message. If the MD5 algorithm could be directly hacked this would be a bigger problem. But what we have here is someone finding a way to steal what is in effect a password (not in the logon to your account sense, but in the decrypt the message sense as in PGP or something along those lines).

Hardly earth shattering... the theory had been floating around for months before that, they just finally went and did it. Doubt it's gonna change anything either, many servers can already use SHA-1 instead of MD5... now the problem is getting all browser and other clients on the same page. Most common ones already can/do.

What is still not being talked about is how many collisions they had to track to get the hash... my guess it was several hundred thousand... really enough to not worry about this for a couple years yet. There is also some debate that not ALL MD5 certs can be cracked this way, only some. But anyways, anything recent will be ooff MD5 anyways so the point is kinda irrelevant.

Hardly earth shattering... the theory had been floating around for months before that, they just finally went and did it. Doubt it's gonna change anything either, many servers can already use SHA-1 instead of MD5... now the problem is getting all browser and other clients on the same page. Most common ones already can/do.

What is still not being talked about is how many collisions they had to track to get the hash... my guess it was several hundred thousand... really enough to not worry about this for a couple years yet. There is also some debate that not ALL MD5 certs can be cracked this way, only some. But anyways, anything recent will be ooff MD5 anyways so the point is kinda irrelevant.

Saying that online banking is 100% compromised =/= earth shattering.

In terms of security, if you have 100 doors, and 99 of those 100 are locked, you are not 99% safe, or 1% insecure. You are 100% insecure.

Those CELL processors were powerful enough to get the attention of the USAF that they bought 300 of the PS3's to use in military systems. Using such power it is feasible that even SHA-1 could be broken as well. But SSL is still significantly in use, and I would not be surprised if those hackers get contacted by MITRE to come and work for them. The govt. can seize on this type of opportunity to further propagate their ID theft extortion scam of making sure you are a victim of ID fraud in the future unless you are paying the NWO-the wolf guarding the henhouse, your monthly fee (slavery) for them not to more dramatically ruin your life. The title may not have been the best, but they said "basically, we broke SSL", same difference. The security of it is compromised, and should never be used again.

Arjen Lenstra, head of EPFL’s Laboratory for Cryptologic Algorithms, the key objective of the research was to stimulate better Internet security with adequate protocols that provide the necessary security.

The key takeaway, according to Lenstra: “It’s imperative that browsers and CAs stop using MD5, and migrate to more robust alternatives such as SHA-2 and the upcoming SHA-3 standard.”

Yeah - US Military Pays Foriegn hackers in some kind of conference to purposely break the MD5 SSL - to stimulate the computer industry - this will generate billions of dollars in updating servers and software costs. but the end result is another security system to hack

Logged

Ten Foot Lizard Man from Planet Snickle-Snack in the POP-TART sector Freedom T Even if you are a minority of one, the truth is the truth. - Mohandas Gandhi

In response to industry pressure and a Presidential Directive issued earlier this year, the Bureau of Industry and Security (BIS) published an interim final rule on October 3, 2008 modifying the Export Administration Regulations (EAR) governing the export of hardware, software and technical data using encryption technology. The rule makes some marginal changes to the regulations but falls short of any significant restructuring of the regulatory regime which as been in place for almost a decade. Despite the limited nature of the changes, many U.S. companies will need to tweak their compliance practices immediately in order to comply with the new rules — there is no “grace period” for implementation.

The new rule, ironically entitled “Encryption Simplification” takes up eighteen pages in the Federal Register. BIS plans on developing additional guidance to be posted on its website as questions will inevitably be raised regarding the correct interpretation of certain provisions contained in the final rule.Good News for Some

Companies in the business of making products for the consumer market will benefit from the regulatory changes. For example, companies that make mass-market products using weak cryptography (now defined as using key lengths not exceeding 80 bits; for asymmetric algorithms with key lengths not exceeding 1024 bits; and for elliptic curve algorithms with key lengths not exceeding 160 bits) no longer have to submit a notification of self-classification prior to export. These products can be classified as 5X992 and exported under “NLR”.

The new regulation introduces a category of products performing “ancillary cryptography” and exempts them from review and reporting requirements. Examples provided by BIS in its definition of ancillary cryptography in section 772.1 of the EAR include “business process modeling and automation (e.g., supply chain management, inventory, scheduling and delivery); industrial, manufacturing or mechanical systems (including robotics, other factory or heavy equipment, facilities systems controllers including fire alarms and HVAC); automotive, aviation and other transportation systems. Relief from the review and reporting requirements is also given to companies making products using short-range wireless technology.BIS has also raised the thresholds that allow some network infrastructure equipment to be exported under the unrestricted provisions of ENC. As a consequence, low-end virtual private network (VPN) hardware and other wide area networking products can now potentially qualify for license-free shipment to both commercial government end-users worldwide.

All exporters will benefit by the inclusion of Bulgaria, Canada, Iceland, Romania and Turkey to the “License Free Zone” (also known as the “Supplement 3 countries”). Both government and commercial entities in these countries may receive product under ENC once a review request is submitted.Bad News for Others

BIS has made a change affecting the classification of mass-market products that could present a compliance challenge for companies who may conduct a limited international release of product coincident with the submission of a technical review. Companies had previously been allowed to self-classify mass-market products as 5×992 and export under NLR (no license required) pending a 30 day BIS review. The new rules require that future products be temporarily classified as 5×002 pending a final BIS determination and export be made according to the provisions of ENC. This change is viewed as a roll-back of an existing liberalization and will undoubtedly be cited in comment letters to BIS. Companies will likely claim that expensive system change requirements in their order processing, export documentation and ERP systems will be required to comply with the new rule.

BIS is actively working on a long range plan to further modify the encryption regulations. However, given the fact that this is an election year and that fundamental changes to U.S. encryption export rules will require Wassenaar Arrangement approval there will likely be no further changes for at least a year to eighteen months.

U.S. encryption export policy continues to rest on three principles: review of encryption products prior to sale, streamlined post-export reporting, and license review of certain exports and reexports of strong encryption to foreign governments. Effective December 9, 2004, the Export Administration Regulations (EAR) have been amended in order to streamline and strengthen export and reexport controls on encryption items, in keeping with these principles.

This policy update includes the following features:

(1) All encryption items are eligible for 30 day review based on a more clearly articulated set of eligibility criteria

This rule simplifies the License Exception ENC technical review process by implementing a uniform 30 day period for most encryption reviews and clarifying the criteria by which the licensing requirement to certain “government end-users” is determined. Now, except for commodities and software that provide an “open cryptographic interface” or that are specified in the revised paragraph (b)(2) of License Exception ENC (§740.17(b)(2) of the EAR), all encryption products submitted for review under License Exception ENC qualify to both “government end-users” and non-“government end-users” under paragraph (b)(3) of the license exception (§740.17(b)(3)).

To strengthen this review process, this rule authorizes the Bureau of Industry and Security (BIS) to, at any time, require additional technical information about an encryption item submitted for review and, if the information is not furnished, to suspend or revoke authorization to use License Exception ENC with respect to the item for which the information is sought.

(2) The European Union “license-free zone” has been updated

This rule expands the list (Supplement No. 3 to part 740 of the EAR) of countries to which certain encryption items may be sent immediately (i.e., without a 30 day waiting period), once a review request is submitted to the U.S. Government. This list now covers all current members of the European Union (EU) to include those countries that joined the EU on May 1, 2004. Specifically, this rule adds Cyprus, Estonia, Latvia, Lithuania, Malta, Slovakia, and Slovenia to Supplement No. 3 to part 740 because those countries were admitted to the European Union on May 1, 2004 and were previously not listed in this supplement. (Although the Czech Republic, Hungary, and Poland were also admitted to the European Union on May 1, 2004, these three countries were previously part of the EU “license-free zone” and therefore already listed in Supplement No. 3 to part 740.)

To further ensure that companies in the U.S. can effectively trade with their “license-free zone” partners, this rule allows encryption items and related technical assistance to private sector end-users headquartered in Canada or any country listed in Supplement 3 to part 740 for internal company use in the development of new products, without prior technical review. However, review is still required for new products produced or developed with an item that had been exported or reexported without review for such internal company use, before the products are transferred to others.

(3) Separate requests for de minimis eligibility are no longer required

This rule removes the requirement to make a separate request for de minimis eligibility when submitting a review request under License Exception ENC. Except for prohibitions on de minimis treatment for encryption technology controlled under Export Control Classification Number (ECCN) 5E002 to any foreign destination, or for “network infrastructure” products and other commodities and software listed in §740.17(b)(2) of the EAR going to a destination in Country Group E:1, foreign made items incorporating U.S. origin encryption items that have met specified notification or review requirements will be treated like foreign made items that incorporate other U.S. origin items, in terms of de minimis eligibility.

For “publicly available” encryption software that has been posted to the Internet under the notification procedures of License Exception TSU (§740.13(e) of the EAR), this rule permits updates or modifications to be made to such software without additional notification, provided the Internet location of the software has not changed.

(5) References to “retail” have been removed

To alleviate confusion with respect to the treatment of “mass market” encryption products under §742.15(b)(2) of the EAR, this rule removes the word “retail” from License Exception ENC (except from a “grandfathering” paragraph that allows the continued export and reexport of encryption commodities and software previously classified as “retail” without additional review).

This rule removes the requirement that exporters of beta test encryption software report the names and addresses of their beta testers, and permits key lengths of products that have previously been reviewed and authorized under License Exception ENC to be increased with a simple e-mail notification procedure (instead of through a certified letter from a corporate official).

=======================================================================Here's the update posted to cryptome.. edited for length.. see full doc at cryptome link=======================================================================

SUMMARY: The Bureau of Industry and Security (BIS) published the interim final rule entitled ``Encryption Simplification'' on October 3, 2008 (73 FR 57495). This rule finalizes that rule, corrects errors published in the October 3, 2008 interim final rule, and resolves inconsistencies in that rule identified by the public.

DATES: Effective Dates: This rule is effective October 15, 2009.

SUPPLEMENTARY INFORMATION:

Background

BIS published the interim final rule entitled ``Encryption Simplification'' on October 3, 2008 (73 FR 57495). This rule removed section 744.9 of the EAR, which set forth requirements for authorization from BIS for U.S. persons to provide technical assistance (including training) to foreign persons with the intent to aid a foreign person in the development or manufacture outside the United States of encryption commodities or software that, if of U.S.-origin, would be ``EI'' controlled under ECCNs 5A002 or 5D002. Section 744.9 was added to the EAR in 1996 when jurisdiction over dual-use encryption items was transferred from the Department of State to the Department of Commerce. However, other parts of the EAR that referred to section 744.9 were inadvertently not removed. Therefore, this rule removes these references in Sec. 730.5(d), Sec. 734.5(c), Sec. 736.2(b)(7)(ii), and Sec. 744.1(a)(1). In addition, other corrections are made to harmonize with revisions made in the ``Encryption Simplification'' rule published on October 3, 2008. Some of the revisions in this rule are the results of requests for clarification from the public on the October 3 encryption simplification rule.

Part 738

Paragraph (a)(2)(ii)(B) of section 738.4 is amended by removing a reference to the mass market review requirements in section 742.15(b) for 5A992 and 5D992, and replacing it with an instruction that the export may be executed under the No License Required (NLR) principle unless the License Requirement section refers the reader to another section of the EAR. E.g., in ECCN 5A002 the License Requirement section not only refers the reader to the Commerce Country Chart in Supplement No. 1 of part 738, but it also refers the reader to section 742.15 of the EAR to determine license requirements.

Part 740

Section 740.17(b)(1)-(3): paragraph (b) is changed for clarity, transparency, and simplification of language authorizing export after review. Authorization language to Supplement 3 countries under the subparagraphs of (b)(1) was complex and confusing to exporters. Under the reorganization of License Exception ENC, there is no need to exclude exports to countries listed in Supplement 3 from authorization under paragraphs (b)(2) and (b)(3). Such exclusions are removed here. Once a review has been submitted, Paragraph (b)(1)(i) is intended to authorize immediate export to the Supplement 3 countries of all encryption items (except ``cryptanalytic items'' to ``government end-users''). After the review is complete, all items except technology and Open Cryptographic Interfaces (OCIs) are authorized by paragraphs (b)(2), (b)(3), or (b)(4). As the language has been revised, four sets of authorization language will cover almost all items authorized for export and reexport. The four authorizations will be:

Prior to the implementation of this final rule, paragraph (b)(4) authorized immediate export under (b)(2) or (b)(3) for source code and key length limited items. However, with the authorization under (b)(4), it was no longer clear that (b)(2) items were not authorized for immediate export to ``government end-users'' outside the Supplement 3 countries. The added language implemented by this rule makes clear that this continues to be true. Products that would not be authorized for permanent export to certain ``government end-users'' should not be authorized for temporary export to those end-users. This rule revises section 740.17(b)(1)(i) of the EAR to remove the phrase ``(excluding source code),'' because BIS has received a number of inquires from the public who are confused by this phrase appearing in this paragraph. This paragraph describes exports and reexports to government end-users and non-government end-users located in a country listed in Supplement No. 3 of section 740.17 of the EAR that are eligible for License Exception ENC once a review request is registered with BIS, including commodities and software that are pending review (under section 742.15(b)) for mass market treatment (ECCNs 5A992.c and 5D992.c). Encryption source code is not eligible for such mass market treatment. This is what the phrase ``(excluding source code)'' refers to. Although this phrase only refers to software that is pending review for mass market treatment (under section 742.15(b)), and thus does not pertain to any other License Exception ENC-eligible encryption source code (e.g., as described in section 740.17(b)(2)(ii)), it has nonetheless proven confusing and so is being removed. This rule revises section 740.17(b)(4) to fix an incorrect citation and clarify concerning what is authorized by each subsection of paragraph (b)(4). Paragraph (b)(4) should contain specific authorization language like all other License Exception ENC paragraphs. The addition of the introductory sentence accomplishes this. The second sentence makes it clear that paragraph (b)(4)(ii) does not authorize subsequent export from the United States of the foreign developed products. This rule adds text to sections 740.17(b)(4)(ii) and 742.15(b)(2) to provide clarification to the regulated community that foreign products developed with or incorporating U.S.-origin encryption source code authorized for export under License Exception TSU (section 740.13(e)) that are subject to the EAR are also excluded from review requirements and that after a mass market review request is submitted, there is no waiting period for export to certain end-users as authorized by sections 740.17(a) and 740.17(b)(1)(i), or for certain encryption items as authorized by section 740.17(b)(1)(ii). This rule also makes slight editorial corrections to sections 740.9(c)(3), 740.13(d)(2), 740.17(b)(2)(ii) and 740.17(e)(1)(i)(C).

Part 742

The second sentence in paragraph (b)(1) of section 742.15 is revised and the fourth sentence removed to conform to the new mandatory SNAP-R procedures (published August 21, 2008, effective October 20, 2008, 73 FR 49323) for submission of review requests.

Supplement No. 6 to part 742 ``Guidelines for Submitting Review Requests for Encryption Items'' is amended by removing the fourth and fifth sentences of the introductory paragraph to harmonize with the new mandatory SNAP-R procedures (published August 21, 2008, effective October 20, 2008, 73 FR 49323) for submission of review requests. This rule adds text to introductory paragraph (a), which was inadvertently omitted in the October 3 rule, explaining that appropriate technical information must accompany the review request. This language was in the introductory paragraph to Supplement 6 prior to the October 3 publication. The intent was to move it to paragraph (a) where it would be more visible. Instead it was inadvertently removed. Also, paragraph (c)(6) is corrected to refer to ECC (elliptic curve cryptography), as opposed to ECCN (Export Control Classification Number).

Part 744

The fifth sentence in paragraph (a)(1) of section 744.1 of the EAR is removed, because it refers to section 744.9, which was removed by the October 3 encryption simplification rule.

Part 772

Exporters have been confused by the Nota Bene to the ``personal area network'' (PAN) definition. This rule deletes some of the text in that note for clarity. In one of the deleted sentences, the words ``enterprise'' and ``long range'' in the absence of a specific 30 meter range limitation could be read to include intermediate-range devices. What is authorized by section 740.17(b)(4)(iii) are certain ``PAN'' items with nominal operating ranges not exceeding 30 meters. This rule deletes other text where the language could also be misunderstood to describe items clearly not eligible for section 740.17(b)(4)(iii) treatment. ``PAN'' items are not necessarily eligible for section

[[Page 52882]]

740.17(b)(4)(iii). Eliminating the confusing examples should help the public understand why a ``data capable wireless telephone'', for example, is not eligible for section 740.17(b)(4)(iii) self-classification. In addition, this rule revises the Nota Bene for the term ``ancillary cryptography'' by making editorial clarifications, as well as adding a footnote to clarify that for the purpose of this definition, the term `transportation systems' does not include any Automatic Identification System (AIS)/Vessel Traffic Service (VTS). Secure AIS/VTS and their maritime applications are not considered ``ancillary cryptography''.

Supplement No. 1 to Part 774--Commerce Control List

ECCN 5B002 is amended by adding License Exception ENC to the License Exception section to clarify that this ECCN may be considered for License Exception ENC eligibility. ECCN 5E002 is amended by adding License Exception ENC to the License Exception section to clarify that this ECCN may be considered for License Exception ENC eligibility. ECCN 5E992 is amended by inserting ``according to the General Technology Note'' into the heading to more clearly define the scope of this ECCN. Although the Export Administration Act expired on August 20, 2001, the President, through Executive Order 13222 of August 17, 2001, 3 CFR, 2001 Comp., p. 783 (2002), as extended by the Notice of August 13, 2009 (74 Fed. Reg. 41,325 (August 14, 2009)), has continued the Export Administration Regulations in effect under the International Emergency Economic Powers Act.

* * * * * (d) * * * (2) Exclusions. * * * (Once such mass market encryption software has been reviewed by BIS and released from ``EI'' and ``NS'' controls pursuant to Sec. 742.15(b) of the EAR, it is controlled under ECCN 5D992.c and is thus outside the scope of License Exception TSU.) See Sec. 742.15(b) of the EAR for exports and reexports of mass market encryption products controlled under ECCN 5D992.c.* * * * *

Sec. 740.17 Encryption Commodities, Software and Technology (ENC).

* * * * * (b) * * * (1) * * * (ii) Export and reexport to countries not listed in Supplement No. 3 of this part. License Exception ENC authorizes the export and reexport of the following commodities and software (except certain exports and reexports to ``government end-users'' as further described in paragraph (b)(2) of this section, or any ``open cryptographic interface'' item):* * * * * (2) Review required with 30 day wait (non-``government end-users'' only). Thirty (30) days after your review request is registered with BIS in accordance with paragraph (d) of this section and subject to the reporting requirements in paragraph (e) of this section, License Exception ENC authorizes the export or reexport of the following commodities and software to ``government end-users'' located or headquartered in a country listed in Supplement 3 to this part, and also to non-``government end-users'' located in a country not listed in Country Group E:1 of Supplement No. 1 to part 740 of the EAR:* * * * * (4) Items excluded from review requirements. License Exception ENC authorizes the export and reexport of the commodities and software described in this paragraph (b)(4) without review (for encryption reasons) by BIS, except that paragraph (b)(4)(ii) of this section does not authorize exports from the United States of foreign products developed with or incorporating U.S.-origin encryption source code, components, or toolkits.* * * * * (ii) Foreign products developed with or incorporating U.S.-origin encryption

[[Page 52884]]

source code, components, or toolkits. Foreign products developed with or incorporating U.S.-origin encryption source code, components or toolkits that are subject to the EAR, provided that the U.S.-origin encryption items have previously been reviewed and authorized by BIS (or else authorized for export under License Exception TSU upon meeting the notification requirements of section 740.13(e) of the EAR, without need for further review) and the cryptographic functionality has not been changed. Such products include foreign-developed products that are designed to operate with U.S. products through a cryptographic interface.* * * * *

Sec. 742.15 Encryption items.

* * * * * (b) * * * (1) Procedures for requesting review. * * * Review requests must be submitted to BIS in accordance with Sec. Sec. 748.1 and 748.3 of the EAR. See paragraph (r) of Supplement No. 2 to part 748 of the EAR for special instructions about this submission. Submissions to the ENC Encryption Request Coordinator should be directed to the mailing address indicated in Sec. 740.17(e)(1)(ii) of the EAR. BIS will notify you if there are any questions concerning your request for review (e.g., because of missing or incompatible support documentation). * * * (2) Action by BIS. * * * (Note that once a mass market review request is submitted, there is no waiting period for export or reexport under License Exception ENC to certain end users as authorized by Sec. Sec. 740.17(a) and (b)(1)(i), or for certain items as authorized by Sec. 740.17(b)(1)(ii), while the mass market request is pending review with BIS.) * * ** * * * *

Supplement No. 6 to Part 742--Guidelines for Submitting Review Requests for Encryption Items

18. In section 772.1 the definition for ``ancillary cryptography'' is amended by revising the Nota Bene (N.B.) and the definition for ``personal area network'' is amended by revising the Nota Bene to read as follows:

Sec. 772.1 Definitions of terms as used in the Export Administration Regulations (EAR).

"Ancillary cryptography''.

N.B. Examples of commodities and software that perform ``ancillary cryptography'' are items specially designed and limited to: Piracy and theft prevention for software, music, etc.; games and gaming; household utilities and appliances; printing, reproduction, imaging and video recording or playback (but not videoconferencing); business process modeling and automation (e.g., supply chain management, inventory, scheduling and delivery); industrial, manufacturing or mechanical systems (including robotics, other factory or heavy equipment, and facilities systems controllers, such as fire alarms and HVAC); automotive, aviation and other transportation systems.\1\ Commodities and software included in this description are not limited to wireless communication and are not limited by range or key length.

\1\ For the purpose of this definition, the term ``transportation systems'' does not include any Automatic Identification System (AIS)/Vessel Traffic Service (VTS). Secure AIS/VTS and their maritime applications are not considered ``ancillary cryptography''.

``Personal area network''. * * *

N.B. ``Personal area network'' items include but are not limited to items designed to comply with the Institute of Electrical and Electronic Engineers (IEEE) 802.15.1 standard, class 2 (10 meters) and class 3 (1 meter), but not class 1 (100 meters) items. IEEE 802.15.1 class 2 and class 3 devices include hands-free headsets, wireless mice, keyboards and printers, bar code scanners and game console wireless controllers, as well as devices or software for transfer of files between devices using Object Exchange (OBEX).* * * * *

PART 774--[AMENDED]

20. In Supplement No. 1 to part 774 (the Commerce Control List), Category 5 Telecommunications and ``Information Security'', Part 2 Information Security, Export Control Classification Number (ECCN) 5B002 is amended by revising the License Exception section to read as follows: